1########################################## 10 I'm Sid3^effects member from Inj3ct0r Team 11########################################## 00-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
Name :Joomla com_mysms Upload Vulnerability
Date : july 10,2010
Critical Level : HIGH
vendor URL :http://www.willcodejoomlaforfood.de/
Author : Sid3^effects aKa HaRi
special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,MaYur,MA1201,KeDar,Sonic,gunslinger_
greetz to :www.topsecure.net ,All ICW members and my friends :) luv y0 guyz
#######################################################################################################
Description
MySMS is standing for"Simple sms component"for Joomla. The MySMS component is now available for Joomla 1.0.x ( com_mysms-0.9.4.zip)andfor Joomla 1.5.x series ( use com_mysms-1.5.10.zip).
This component supports following sms gateway provider today: w2sms, teleword, smskaufen, smscreator, sms77, sms4credits, mobilant, mesmo, clickatell, aspsms, nohnoh, mexado, innosend, suresms,compaya and hardwired, mobilenl, sloono, smsat and wannfind, agiletelecom, smsviainternet, infobip, at&t, smscom, coolsms, smsglobal, aruhat, massenversand, smstrade.#######################################################################################################
Xploit: Upload Vulnerability
Step 1: Register first :D
Step 2: Goto your profile "Mysms" option
Step 3: The attacker can upload shell in the "Import phonebook" option and it doesnt validate anyfileformat so upload your shell
DEMOU URL :http://server/?option=com_mysms&Itemid=0&task=phonebook
Step 4: your shell is uploaded and now you do ur job ;)######################################################################################################## 0day no more # Sid3^effects
